In accordance with the Law 15/1999 of Personal Data Protection, ESTUDIOS Y EDICIONES IESE, S.L. hereby informs you that all personal data will be included in a database managed by ESTUDIOS Y EDICIONES IESE, S.L. so that you can access the services and newsletters provided by IESE PUBLISHING and IESE INSIGHT. To exercise your rights of access, correction, cancellation or opposition, contact: ESTUDIOS Y EDICIONES IESE S.L., Av. Pearson 21, 08034 Barcelona or email feedbackdatos@iesep.com.

Tips to Prevent, Detect & Respond to Cyberattacks

How Safe Is Your Firmware?

Authors:Padilla, Elmar

What do a laptop, a smartphone, a router, an industrial control system, a car, a Mars rover and a weapon system have in common? All incorporate firmware -- the interface between the actual hardware of a device and the high-level software to program or interact with the device. And this firmware, unlike an operating system or application software, is poorly secured, making it extremely vulnerable to cyberattacks.

Most people are familiar with the usual cyberattack tools (malware, botnets and phishing) and take the usual care to prevent them: installing firewalls, spam filters and anti-virus software; making sure never to click on links, download attachments or divulge personal information in unsolicited emails from unrecognized senders. For the most part, this prevents hacks from attackers whose main motivation is to try to steal data or extort money from their victims.

But new kinds of attacks are emerging, for which there are hardly any commercial solutions. And the consequences of an industrial control system, a car, a Mars rover or a weapon system getting hacked are far more serious than your laptop or smartphone crashing. The annoyance of, say, having to cancel your credit card or losing your vacation photos (which should be backed up on the cloud anyway) are not in the same league as a catastrophic nuclear meltdown or furnace explosion.

Consider two real examples. In 2010, officials in Iran noticed that centrifuges used to enrich uranium were failing for no apparent reason, and other computers were mysteriously crashing and rebooting. By chance, the Iranian officials discovered that a malicious virus known as Stuxnet -- engineered specifically to sabotage physical machines -- had unknowingly been implanted into their systems.

Four years later, the furnace of a German steel mill could not be shut down because the system controlling it had been similarly compromised by malware. There was "massive damage," according to a federal report on the incident, though the true extent of the damage and the name of the company were never released -- signaling the seriousness with which authorities are treating this case of industrial sabotage.

These two events are disturbing not just because they represent, for the first time ever, the hacking of industrial equipment to cause physical damage (as opposed to a software hack of a person's or a company's computer for thievery of data or money). More worrying is the advice of German officials for how best to avoid such incidents in future: keep your business and production networks separate. As a Wired magazine article observed: "to keep hackers from leaping from one network to another and remotely accessing critical systems over the internet... a network can only be considered truly air-gapped if it's not connected to the internet and is not connected to other systems that are connected to the internet."

And therein lies the growing challenge in the age of the industrial internet or the Internet of Things, where the trend is for exponentially more digitalization and networking of physical devices. Companies frequently extol the efficiency gains, cost savings and added flexibility afforded by Industry 4.0. German enterprises, in particular, have said they plan to invest 40 billion euros a year in Industry 4.0, expecting over 80 percent of their value chains to be highly digitalized by 2020, according to a PricewaterhouseCoopers survey. Meanwhile, interconnected industrial devices make notoriously easy targets. And as the previously mentioned cyberattacks on industrial complexes illustrate, when an industrial hack occurs, the stakes are considerably higher.

In this article, I will describe the various ways that industrial firmware can be compromised. More to the point, I will recommend how to defend your company against cyberattacks, based on the latest research conducted by Fraunhofer, a coalition of research institutes that specialize in the legal, organizational and technical aspects of IT security, among many other issues relevant to business and industry. Executives enthusiastic about the possibilities of Industry 4.0 also need to understand the threats posed by manipulated firmware and take steps to protect their companies against them.

Breaking the Trust Chain
When talking to people in charge of defending networks, they frequently argue, "My devices run in a closed environment to which only authorized personnel have access. This makes my system secure." An examination of the various phases that a device goes through over the course of its life cycle reveals the holes in this argument.

Development & design phase. The first phase in which a device may be compromised is during its development. An attacker might deliberately introduce a vulnerability or back door by design. However, doing this means the same vulnerability or back door would be present for all users of that same type of firmware, raising the odds of someone detecting it. For attackers, building in a flaw at the conceptual level is less suitable for targeted attacks, as someone will likely find it and fix it somewhere along the line. Additionally, being able to compromise a device at the development and design phase requires a high degree of insider knowledge and access, making this option theoretically possible but comparably costly for attackers.

Production phase. Manipulating firmware during its production would mean altering it right before or after it is incorporated into a device. This would include altering a single piece of firmware individually or a category of firmware generally. Introducing a compromise during production is suitable for targeted and non-targeted attacks. But, as with the development and design phase, doing that would require insider knowledge -- especially deep knowledge of the process of introducing firmware into devices -- as well as access to that process.

Transportation phase. This involves hijacking the shipping of the hardware. On the way to the customer, the hardware could be intercepted. Manipulated firmware would be introduced into the device before continuing on to its destination. Since this approach requires physical access, it is less suitable for non-targeted attacks. However, it is an option for targeted ones. This kind of attack also requires insider knowledge, especially of the hardware ordered by a target and its delivery.

Operation phase. Once a device is in operation, there are two main ways to manipulate the firmware: through remote infection or through infection on the premises.

In the first case, someone without physical access to the device is able to manipulate or infect the firmware remotely -- through firmware updates, by exploiting some technical vulnerability or by misusing legitimate credentials -- making this a suitable option for targeted and non-targeted attacks.

Although it still has an access requirement, remote access is easier than direct physical access, which is more suitable for targeted attacks. Besides the extra effort involved in gaining physical access, the attacker runs a very high risk of getting caught, as he or she has to be physically present on the target's premises.

Going back to the earlier argument -- that a system is secure because it runs in a closed environment and only authorized personnel have access to the devices -- we see that such protections are only relevant with regard to the operation phase. And even then, they do not completely rule out insider attacks.

Given this reality, a company's cybersecurity measures must be accompanied by additional, technically specialized ones that address insider attacks, as well as attacks in the other phases, in order to achieve an acceptable level of protection for critical systems.

To keep reading,LOG INor PURCHASE the article through IESE Publishing.